Ingest pipeline should work based on conditions

Mohan_vel · June 19, 2020, 12:46pm

Hi i have created a ingest pipeline using grok processor below is my processor

Ingest pipeline with grok

      PUT _ingest/pipeline/dissectpipeline
        {
          "description" : "split message content",
          "processors": [
            {
              "grok": {
                  "field": "message",
                  "patterns": ["agentId:%{NOTSPACE:agentId}","statuscode:%{NOTSPACE:statuscode}"]
                }
            }
          ]
        }

Pipeline simulation example

    POST /_ingest/pipeline/dissectpipeline/_simulate
    {
      "docs": [
        {
          "_index": "index",
          "_id": "id",
          "_source": {
            "message": "agentId:F00356"
          }
        },
        {
          "_index": "index",
          "_id": "id",
          "_source": {
             "message": "statuscode:400"
          }
        },
        {
          "_index": "index",
          "_id": "id",
          "_source": {
             "message": "log event SQL Success:200"
          }
        }
      ]
    }

For first and second document it is working as expected but for my 3 rd document it's throwing error grok pattern not matched. Same happening while indexing my real time documents.

Here my requirement is only if the message field of a document contains specific text it should grok else it should not consider for grok ultimately the thing is while calling this pipeline in my filebeat all the document should get indexed in elasticsearch only for few documents which contains specific text like agentId, statuscode, serviceclient in message field it should get groked and created respective field with in the same document. Kindly someone help me to achieve this. Thanks in advance.

Note : In all my incoming documents message field should not contain grok pattern text. lot more varies.

If any clarifications needed let me know.

Mohan_vel · June 20, 2020, 7:05am

Hi Guys, I have done something like this and it seems to be working fine.

**Pipeline**

    PUT _ingest/pipeline/dissectpipeline
        {
          "description" : "split message content",
          "processors": [
            {
              "grok": {
                  "field": "message",
                  "patterns": ["CSIC_agentId:%{NOTSPACE:apm_agentId.agentId}","CSIC_statuscode:%{NOTSPACE:apm_statuscode.statuscode}"
                    ,"CSIC_servicename:%{NOTSPACE:apm_servicename.servicename}"]
                }
            }
          ]
        }

pipeline with conditions

    PUT _ingest/pipeline/logs_pipeline
    {
      "description": "A pipeline of pipelines for log files",
      "version": 1,
      "processors": [
        {
          "pipeline": {
            "if": "ctx.message.toLowerCase().contains('csic_agentid')||ctx.message.toLowerCase().contains('csic_statuscode')||ctx.message.toLowerCase().contains('csic_servicename')",
            "name": "dissectpipeline"
          }
        }
      ]
    }

Could some one let me know is this a right approach?

system · July 18, 2020, 7:05am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Generate grok custom pattern to message filed Elasticsearch	9	568	July 16, 2020
[Ingest pipeline] tag and trace match Elasticsearch ingest-pipeline	1	941	March 31, 2022
Conditions in Ingest node pipeline Elasticsearch	6	2301	November 25, 2017
Ingest Processor Conditional Elasticsearch	2	551	July 7, 2020
Ingest Pipeline Creating Grok Pattern with string as dependency Elasticsearch ingest-pipeline	2	130	March 10, 2024

Ingest pipeline should work based on conditions

Related topics